# /etc/systemd/system/grafana.service
[Unit]
Description=Grafana
After=nginx.service docker.service

[Service]
Delegate=no
; Restart=on-failure
Restart=always
RestartSec=10
ExecStart=/usr/bin/docker-compose -p grafana -f /etc/grafana/docker-compose.yml up
ExecStop=/usr/bin/docker-compose -p grafana -f /etc/grafana/docker-compose.yml stop

CapabilityBoundingSet=
SystemCallFilter=~memfd_create
ProtectProc=invisible
ProtectHome=true
RestrictNamespaces=uts ipc pid user cgroup
NoNewPrivileges=True
#SecureBits=noroot-locked
ProtectSystem=strict
DevicePolicy=closed
PrivateTmp=true
PrivateDevices=true
PrivateUsers=true
ProtectHostname=true
ProtectClock=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectControlGroups=true
LockPersonality=true
MemoryDenyWriteExecute=true
RestrictRealtime=true
RestrictSUIDSGID=true
SystemCallArchitectures=native

[Install]
WantedBy=multi-user.target